GGG-R-Z

From IDESG Wiki
Revision as of 04:00, 28 June 2018 by Omaerz (talk | contribs) (6 revisions imported: Initial Upload of old pages from IDESG Wiki)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Global Glossary Grid - Prepared as a joint research project by Identity Commons and ABA, Business Law Section, Cyberspace Law Committee


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Source of Definitions Glossary
Incommon Federation Participant Operational Practices
E-Authentication Federation Interim Legal Document Suite
ID Commons: Identipedia
Cameron, Posch, Rannenberg: Proposal for a Common Identity Framework: User Centric Identity Metasystem
Wikipedia: Digital Identity
European Union eGovernment Unit: Modinis: Common Terminological Framework for Interop Electronic Identity Management
OpenPrivacy.org
Random Thoughts on Digital Identity Digital Identity Glossary
Milgate: The Identity Dictionary
National Security Telecom Advisory Comm.(NSTAC) Report to the President on Identity Management Strategy
Identity Management Task Force Report 2008
Electronic Authentication Partnership (EAP) Trust Framework
Smedinghoff: Federated Identity Management: Balancing Privacy Rights, Liability Risks and the Duty to Authenticate
Kantara Identity Assurance Framework - Glossary
Center for Democracy and Technology: Issues for Responsible User-Centric Identity
Aspen Institute: Identity in the Age of Cloud Computing***
ID Commons: Lexicon from IdCommons
ABA Identity Management Services Agreement
Oasis: Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0
Liberty Alliance Privacy and Security Best Practices
Liberty Glossary v.2.0
Liberty Identity Assurance Framework
ABA: Public Key Infrastructure (PKI) Assessment Guidelines
International Telecommunications Union (ITU)
RFID Application Privacy Impact Assessment Framework
ITU-T X.1252 Baseline Identity Management Terms and Definitions
Recommendation X.1252: Baseline Identity Management Terms and Definitions
Draft Recommendation X.1252: Baseline Identity Management Terms and Definitions
Draft Recommendation ITU-T X.priva, Criteria for assessing the level of protection for personally identifiable information in IdM
Draft Recommendation ITU-T X.1275, Guideline on Protection of Personally Identifiable information in the application of RFID Technology
Generally Accepted Privacy Principles: A Global Privacy Network
Glossary of Terms
2006 Identity Fraud Survey Report
Identity management Terminology
Federal Information Processing Standards Publication
Glossary of Key Information Security Terms
National Strategy for Trusted Identities in Cyberspace

role management































Roles and role assignment are unlikely to remain static for any length of time. Because of this, they must be managed -- the entitlements associated with a role must be reviewed and updated and the users assigned the role, implicitly or

explicitly, must be reviewed and changed. The business processes used to effect these reviews and changes are collectively referred to as role management (sometimes enterprise role management).




role mining


































Where enterprise roles are used to manage entitlements, they must first be defined and assigned to users. These definitions normally take place in the context of an organization where users already have entitlements -- some of them

required for their jobs, and others inappropriate or stale. Role mining refers to an analysis of existing entitlements in an effort to extract a workable role model.




role model


































A role model is a set of role definitions and a set of implicit or explicit role assignments.




role policy enforcement


































Where entitlements on multiple systems are modeled with enterprise roles, an enforcement process can periodically compare actual entitlements with those predicted by the model and respond to variances -- by automatically making

corrections, asking for deviations to be approved, etc. This periodic checking process is called role policy enforcement.




role violation


































A role violation is a situation where a user is assigned an entitlement that contradicts a user's role assignment. The entitlement may be excessive -- i.e., not predicted by the role, or it may be inadequate -- i.e., the role assignment

predicts that the user should have an entitlement, but the user does not.




root CA























The endpoint in a chain of trust.















rule


A term or condition of participation manifested as an Operating Rule or Business Rule.







The implementation of a decision that determines the Permissions of a Group, a Role or an identity whose access is based on particular attributes.





























rules of behavior


Rules that have been established and implemented concerning use of, security in, and acceptable level of Risk for the System. Rules will clearly delineate responsibilities and expected behavior of all individuals with access to the

System. Rules should cover such matters as work at home, dial-in access, connection to the Internet, use of copyrighted works, unofficial use of Federal Government equipment, the assignment and limitation of System privileges, and

individual accountability.




































same sign-on









The process whereby infrastructure presents the same authentication credentials (or some other predetermined information or token) to a subsequent application, without the user re-entering it, or even being aware of it. This enables

those third-party packaged applications that have their own built-in authentication that is not able to be detached, to behave as though they are participating in a Single Sign-on solution.





























SAML





















An XML-based standard defining a means for making assertions about events, attributes, and policy evaluations concerning subjects [SAMLCore11]. In Liberty usage, SAML subjects are typically Principals.

















SAML artifact


A SAML Artifact of "small" bounded size is carried as part of a URL query string such that, when the artifact is conveyed to the source site, the artifact unambiguously references an assertion. The artifact is conveyed via redirection to

the destination site, which then acquires the referenced assertion by some further steps. Typically, this involves the use of a registered SAML protocol binding. This technique is used in the browser/artifact profile of SAML.

















A small, fixed-size, structured data object pointing to a typically larger, variably-sized SAML protocol message. SAML artifacts are designed to be embedded in URLs and conveyed in HTTP messages, such as HTTP response messages with "3xx Redirection" status codes, and subsequent HTTP GET messages. In this way, a service provider may indirectly, via a user agent, convey a SAML artifact to another provider, who may subsequently dereference the SAML artifact via a direct interaction with the supplying provider, and obtain the SAML protocol message. Various characteristics of the HTTP protocol and user agent implementations provided the impetus for concocting this approach. The HTTP Artifact binding section of [SAMLBind] defines both the SAML Artifact format and the SAML HTTP protocol binding incorporating it.



















SAML assertion


A statement from a verifier to a relying party that contains identity information about a subscriber. Assertions may also contain verified attributes. Assertions may be digitally signed objects or they may be obtained from a trusted

source by a secure protocol.



















See assertion.

















SAML authority



















An abstract system entity in the SAML domain model that issues assertions. See also attribute authority, authentication authority, and policy decision point (PDP).


An abstract system entity in the SAML domain model that issues assertions [SAMLGloss2].

















SASL mechanism





















A SASL mechanism is an authentication mechanism that has been profiled for use in the context of SASL [RFC4422]. See [RFC2444] for a particular example of profiling an existing authentication mechanism ó one-time passwords [RFC2289] ó for use as a SASL mechanism. See also [LibertyAuthn].

















secret key



































A cryptographic key that must be protected from unauthorized disclosure to protect data encrypted with the key. The use of the term "secret" in this context does not imply a classification level; rather, the term implies the need to

protect the key from disclosure or substitution.



secret Q&A









An identity credential; previously stored personal questions and answers. Also known as Challenge/Response. It can be used for stronger authentication (as additional passwords) or for password resets (if forgotten). For example; mothers

maiden name, name of your first pet, favourite football team, preferred cuisine. It must be stored encrypted. It may be compromised by social engineering and multiple attempts. Not to be confused with shared information (such as date of

birth, last payment amount, last document reference number) which is not encrypted and is known to the service provider and anyone on their help desk; these are not secret although they are sometimes called by the misnomer "shared

secrets".





























section 508


In 1998, Congress amended the Rehabilitation Act to require Federal agencies to make their electronic and information technology accessible to people with disabilities. The purpose of this part is to implement Section 508 of the

Rehabilitation Act of 1973, as amended (29 U.S.C. 794d). Section 508 requires that when Federal agencies develop, procure, maintain, or use electronic and information technology, Federal employees with disabilities have access to and use

of information and data that is comparable to the access and use by Federal employees who are not individuals with disabilities, unless an undue burden would be imposed on the Agency. Section 508 also requires that individuals with

disabilities, who are members of the public seeking information or services from a Federal Agency, have access to and use of information and data that is comparable to that provided to the public who are not individuals with

disabilities, unless an undue burden would be imposed on the Agency.




































secure





































Online transactions are secure if the implementation mechanisms meet their predefined security objectives of correctly authenticating the parties to the transaction, prevent

unauthorized access and release of data, assure availability, faithfully conduct and record any

negotiation, and preserve confidentiality and integrity of information. Pre-defined security

objectives vary widely depending on the need.

secure kiosk account (SKA)


































A secure kiosk account is a special Windows login ID and password, which is well known to users (for example, it may be advertised on the wallpaper image of the login screen). Special security policies are applied to this account, so

that when it signs into a Windows workstation, a locked down (kiosk-mode) web browser is launched instead of the normal Windows desktop.

A SKA is a mechanism that allows users to access a self-service password reset web application despite being locked out of the initial workstation login screen.




secure sockets layer protocol (SSL)





















An Internet protocol (originally developed by Netscape Communications, Inc.) that uses connection-oriented end-to-end encryption to provide data confidentiality service and data integrity service for traffic between a client (often a Web browser) and a server and that can optionally provide peer entity authentication between the client and the server. See Transport Layer Security. [RFC2828].

















security












A collection of safeguards that ensures the confidentiality of information, protects the integrity of information, ensures the availability of information,

accounts for use of the system, and protects the system(s) and/or network(s) used to process the information.


A collection of safeguards that ensures the confidentiality of

information, protects the integrity of information, ensures the availability of information, accounts for use of the system, and protects the system(s) and/or network(s) used to process the information.





A collection of safeguards that ensure the confidentiality of

information, protect the systems or networks used to process it,

and control access to them. Security typically encompasses the concepts of secrecy, confidentiality, integrity, and availability. It is intended to ensure that a system resists potentially correlated attacks. [CyberTrust]



A collection of safeguards that ensures the confidentiality of information, protects the integrity of information, ensures the availability of information, accounts for use of the system, and protects the system(s) and/or network(s) used

to process the information.
















security administrator


































A security administrator is a person responsible for maintaining a list of users, their identity attributes, their passwords or other authentication factors and their security privileges on one or more target systems. The security

administrator may not have the responsibility or ability to reconfigure or otherwise manage the system itself -- that is the job of a system administrator.




security architecture



















A plan and set of principles for an administrative domain and its security domains that describe the security services that a system is required to provide to meet the needs of its users, the system elements required to implement the

services, and the performance levels required in the elements to deal with the threat environment. A complete security architecture for a system addresses administrative security, communication security, computer security, emanations

security, personnel security, and physical security, and prescribes security policies for each. A complete security architecture needs to deal with both intentional, intelligent threats and accidental threats. A security architecture

should explicitly evolve over time as an integral part of its administrative domain's evolution.



















security assertion



















An assertion that is scrutinized in the context of a security architecture.



















security assertion markup language (SAML)


XML-based framework for ensuring that transmitted communications are secure. SAML defines mechanisms to exchange authentication, authorization and nonrepudiation information, allowing single sign-on capabilities for Web services.

















The set of specifications describing security assertions that are encoded in XML, profiles for attaching the assertions to various protocols and frameworks, the request/response protocol used to obtain the assertions, and bindings of

this protocol to various transfer protocols (for example, SOAP and HTTP).















An XML-based protocol whereby one web service (the identity provider) may make assertions about the identity or rights of a user (the principal) to another web service (the service provider).

SAML allows for single sign-on between domains, in cases where cookies, for example, cannot be used (web browsers in general only allow cookies to be submitted to the same domain that issued them).

In practical terms, users authenticate to the identity provider. When users attempt to access content or applications on the service provider, their web browser is directed to request SAML assertions from the identity provider and pass

those back to the service provider. In this way, the service provider no longer has to authenticate the user directly, and instead relies on statements about the user made by the identity provider, which does authenticate the user.




security audit
























An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to

recommend any indicated changes in control, policy and procedures.


An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to

recommend any indicated changes in control, policy, and procedures.

An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to

recommend any indicated changes in control, policy, and procedures.

An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to

recommend any indicated changes in control, policy and procedures.










security context



















With respect to an individual SAML protocol message, the message's security context is the semantic union of the message's security header blocks (if any) along with other security mechanisms that may be employed in the message's

delivery to a recipient. With respect to the latter, an examples are security mechanisms employed at lower network stack layers such as HTTP, TLS/SSL, IPSEC, etc.

With respect to a system entity, "Alice", interacting with another system entity, "Bob", a security context is nominally the semantic union of all employed security mechanisms across all network connections between Alice and Bob. Alice and Bob may each individually be, for example, a provider or a user agent. This notion of security context is similar to the notion of "security contexts" as employed in [RFC2743], and in the Distributed Computing Environment [DCE], for example.



















security credentials


































Credentials are the data used to both identify and authenticate a user. The most common credentials are login IDs and passwords. Other credentials refer to other types of authentication factors, including biometric samples of the user,

public key certificates, etc.




security criteria























A commonly agreed source for evaluating security properties of IT products and systems or entities. Examples are the European Union's Information Technology Security Evaluation Criteria (ITSEC) and the international Common Criteria for

Information Technology Security Evaluation (equivalent to ISO standard 15408).















security database


































A security database is the native storage used by a system or application to house records about users, passwords and privileges. Examples are the SAM database in Windows, passwd file on Unix/Linux and RACF on mainframes.




security domain











A set of elements, a security policy, a security authority and a set of security-relevant activities in which the elements are managed in accordance with the security policy. The policy will be administered by the security authority. A

given security domain may span multiple security zones.








An environment or context that is defined by security models and a security architecture, including a set of resources and set of system entities that are authorized to access the resources. One or more security domains may reside in a

single administrative domain. The traits defining a given security domain typically evolve over time.





A set of elements, a security policy, a security authority and a set of security-relevant activities in which the elements are managed in accordance with the security policy.


A set of elements, a security policy, a security authority, and a set of security-relevant activities in which the elements are managed in accordance with the security policy.

A set of elements, a security policy, a security authority, and a set of security-relevant activities in which the elements are managed in accordance with the security policy.

A set of elements, a security policy, a security authority and a set of security-relevant activities in which the elements are managed in accordance with the security policy.










security domain authority











A security authority that is responsible for the implementation

of a security policy for a security domain.













A security authority that is responsible for the implementation of a security policy for a security domain.


A security authority that is responsible for the implementation of a security policy for a security domain.

A security authority that is responsible for the implementation of a security policy for a security domain.

A security authority that is responsible for the implementation of a security policy for a security domain.










security entitlement audit


































In many organizations, security entitlements have to be reviewed from time to time. This is done because business processes relating to changing needs are often reliable with respect to granting new entitlements, but less reliable with

respect to deactivating old, unneeded entitlements. A periodic audit can be used to find and remove such old, unneeded entitlements.




security entitlement change


































Users' needs to access sensitive resources may change for time to time. For example, an employee may join a new project, finish an old one or change roles. When this happens, new security entitlements are often needed and old ones should

be removed.




security entitlements


































A security entitlement is a right granted to a user's account on a given system to access some data or function.

The Burton Group defines an entitlement as:

An entitlement is the object in a system's security model that can be granted or associated to a user account to enable that account to perform (or in some cases prevent the performance of) some set of actions in that system. It was

commonly accepted that this definition of entitlement referred to the highest-order grantable object in a system's security model, such as an Active Directory group membership or SAP role, and not lower-order objects such as single-file

permission setting.

Definition by Ian Glazer, in Access Certification and Entitlement Management v1, September 9, 2009.

http://www.burtongroup.com/Client/Research/Document.aspx?cid=1732 (login required)




security equivalence


































Two authentication processes are considered to be equivalent if (a) they are about equally difficult to defeat or (b) by defeating one of them, an intruder can subsequently defeat the other.

An example of the latter is a PIN-based enrollment of challenge/response data. In this scenario, users are e-mailed a PIN, which they use to authenticate and complete a personal challenge/ response profile. This profile may later be used

in the context of self-service password reset. In this scenario, the PINs are equivalent to the challenge/ response data, and that is equivalent to user login passwords -- so ultimately enrollment PINs are security-equivalent to login

passwords (a bad thing!).




security group


































A security group is a named collection of users, which has been defined in order to simplify the assignment of entitlements. The idea is to assign multiple entitlements to the group, rather than assigning entitlements, again and again,

to every user that belongs to the group.




security policy



















A set of rules and practices that specify or regulate how a system or organization provides security services to protect resources. Security policies are components of security architectures. Significant portions of security policies are

implemented via security services, using security policy expressions.



















security policy expression



















A mapping of principal identities and/or attributes thereof with allowable actions. Security policy expressions are often essentially access control lists.



















security presentation




A set consisting of elements like knowledge of secrets, possession of security devices or aspects of administration which are associated with automated claims approval. These elements derive from technical policy and legal contracts of a

chain of administrative domains.


































security service



















A processing or communication service that is provided by a system to give a specific kind of protection to resources, where said resources may reside with said system or reside with other systems, for example, an authentication service

or a PKI-based document attribution and authentication service. A security service is a superset of AAA services. Security services typically implement portions of security policies and are implemented via security mechanisms.



















security target























A Common Criteria-based construct defining the structure and content for an implementation-specific set of security requirements for an IT product or system.















security token




A set of claims.

















In Liberty, a security token is a collection of security-related information that is used to represent and substantiate a claim [LibertyIDWSFSecurityPrivacyGuidelines] [LibertySecMech].

Outside of Liberty, the term "security token" often refers to hardware-based devices, e.g., so-called "token cards." One should not confuse the latter and the former definitions. However, it is possible for some given authentication

mechanism to employ token cards in the process of authentication.

















security zone











A protected area. This is defined by operational control, location, and connectivity to other device/network elements.













A protected area. This is defined by operational control, location, and connectivity to other device/network elements.


A protected area defined by operational control, location, and connectivity to other device/network elements.

A protected area defined by operational control, location, and connectivity to other device/network elements.

A protected area. This is defined by operational control, location, and connectivity to other device/network elements.










segregation of duties policy


































A segregation of duties (SoD) policy is a rule regarding user entitlements intended to prevent fraud. It stipulates that one user may not concurrently be assigned two or more key functions in a sensitive business process.




self signed certificate









A digital certificate where the issuer and subject are the same. There is no way to verify the certificate except by checking it against itself; it must be manually configured.





























self-asserted identity











An identity asserted by an entity itself.













An identity asserted by an entity itself.


An identity that an entity declares to be its own.

An identity that an entity declares to be its own.

An identity asserted by an entity itself.










self-service password reset


































Self-service password reset (SSPR) is a self-service password reset process. Users normally authenticate using challenge/response, a hardware token or a biometric.

SSPR is normally deployed to reduce IT support cost, by diverting the resolution of password problems away from the (expensive, human) help desk.




sender





















1. (1) A role donned by a system entity when it constructs and sends a message to another system entity. See also SOAP sender in [SOAPv1.2].

1. (1a) an initial SOAP sender. A sender is a proxy when its identity differs from the invocation identity.

















sensitive information


Information that must be protected due to the risk of loss or harm resulting from disclosure, alteration, or destruction.




































sensitive personal information































Personal information that requires an extra level of protection and a higher duty of care, for example, information on medical or health conditions, certain financial information, racial or ethnic origin, political opinions, religious or

philosophical beliefs, trade union membership, sexual preferences, or information related to offenses or criminal convictions.







separation of duties









Mutually exclusive access or roles. This involves dividing responsibility for sensitive information or risky actions so that no individual acting alone can compromise a system. As a security principle, it has as its primary objective the

prevention of fraud and errors. This principle is demonstrated in the occasional requirement for two signatures on a bank cheque, or by preventing a person from authorising their own workflow requests.





























sequential approvals


































A sequential authorization process is one where multiple authorizers are invited to comment, one after another.

Sequential (or serial) authorization has the advantage of minimizing the nuisance to authorizers in the event that an early authorizer rejects a change request.




server








A server is a networked entity with at least one unanonymous identity that represents a legal entity. A server is intended to be always connected to the network, and providing one or more services to other network entities.













A role donned by a system entity that provides a service in response to requests from other system entities called clients [RFC2828]. Note that in order to provide a service to clients; a server will often be both a sender and a receiver.

















server passwords


































Server passwords are passwords stored in the security database on a network server. Servers typically have fixed addresses, are (almost) always turned on and respond to requests they receive on the network.




service




A digital entity comprising software, hardware and/or communications channels that interacts with subjects.







A set of functions and facilities offered to a user by a provider.










1. (1) A collection of endpoints designed to offer some service or to provide information [WSDLv1.1].

2. (2) Short form of ID-WSF Service or ID-WSF-based Service.

















service account password


































A service account password is used on Windows systems to start a service program which runs in a context other than that of the SYSTEM user. The service control manager uses a login ID and password (of the service account) to start the

service program.




service assessment criteria (SAC)












A set of requirements levied upon specific organizational and other functions performed by electronic trust services and service providers. Services and service providers must comply with all applicable criteria to qualify for EAP

approval.


A set of requirements levied upon specific organizational and other functions performed by electronic trust services and service providers. Services and service providers must comply with all applicable criteria to qualify for Kantara

Initiative approval and earn the Kantara Initiative Mark.








A set of requirements levied upon specific organizational and other functions performed by electronic trust services and service providers. Services and service providers must comply with all applicable criteria to qualify for IAEG

approval.
















service discovery





















The act of looking up a service(s) in the Discovery Service.

















service instance





















The physical instantiation of a service. A service instance is a web service at a distinct endpoint.

See also ID-WSF Endpoint Reference.

















service instance address





















An address of a service instance, typically expressed in URI syntax [RFC3622].

















service level agreement


Stipulates and commits a Federation Member to a required level of service. It also specifies, as appropriate, enforcement or penalty provisions for services not provided, a guaranteed level of System performance as relates to downtime or

uptime, a specified level of customer support and what software or hardware will be used.




































service level standards


















The standards the Subject will meet or exceed in providing the Identity Management Services described in Section 2, as described in Schedule F to this Agreement.




















Service Provider

Receives attribute assertions from another Participant. A campus or other organization that makes on-line resources available to users based in part on information about them that it receives from other InCommon participants.














The service provider, also referred to as the relying party, provides a service to the user, based on identity information provided by an identity provider.

Manage user accounts, verify identity claims, and reset forgotten passwords. Users benefit from not having to register with each new service provider, and not having to

remember separate user names and passwords.




A role donned by a system entity where the system entity

provides services to principals or other system entities.

An entity that provides services and/or goods to Principals.

1. (1) A role donned by system entities. In the Liberty architecture, Service Providers interact with other system entities primarily via vanilla HTTP.

2. (2) From a Principal's perspective, a Service Provider is typically a website providing services and/or goods.
















Service providers may provide an access gateway to the Internet, security services, storage or processing services, or access to information and applications or a combination of these services.

service request





















A service request is another term for an ordinary ID-* message sent by a client. Service request is also loosely equivalent to a "SOAP-bound (ordinary) ID-* message".

















service type URI





















ID-WSF-based services are assigned a Service Type URI as a part of each service's definition. The Service Type URI is a factor in service discovery [LibertyDisco].

















session









A single Identity authentication period and its associated activity (temporary, non-persistent). Usually from logon until logoff or time-out, sustained with a local session cookie.










A lasting interaction between system entities, often involving a Principal, typified by the maintenance of some state of the interaction for the duration of the interaction.


[Merriam-Webster] defines session (in its sixth sense [sic]) as: "a meeting or period devoted to a particular activity" [as in "an Irish drinking session" Ed.]. Thus, a given interaction between some set of system entities may involve a notion of session, especially if one or more of the system entities maintain session state.

















session authority



















A role donned by a system entity when it maintains state related to sessions. Identity providers often fulfill this role.



















session hijack - session piggyback









This is where an unknown identity acts to take over a legitimate on-line session after the known identity has successfully authenticated. It can be thwarted by good application design.





























session identifier (SID)


Mechanism for indicating to the AA that there is prefill or data transfer available.




































session participant



















A role donned by a system entity when it participates in a session with at least a session authority.



















session reset


A request by an AA to re-authenticate an End-User already authenticated, resulting in a hand-off of the End-User to the CS. This request derives from the AA's Agency session policy.




































session state





















If an interaction between system entities involves one or more of the system entities maintaining information pertaining to the interaction itself ó such as who the other involved system entity(ies) are, when the interaction began, etc.

ó then there likely is an explicit notion of session and thus this information is termed session state information.

See also local session state.

SASL [RFC4422] is an approach to modularizing protocol design such that the security design components, e.g., authentication and security layer mechanisms, are reduced to a uniform abstract interface. This facilitates a protocol's use of an open-ended set of security mechanisms, as well as a so-called "late binding" between implementations of the protocol and the security mechanisms' implementations. This late binding can occur at implementation- and/or deployment-time. The SASL specification also defines how one packages authentication and security layer mechanisms to fit into the SASL framework, where they are known as SASL mechanisms, as well as register them with the Internet Assigned Numbers Authority [IANA] for reuse.

















shared account


































A shared account is a login ID on a system or application that is used by more than one human or machine user. Privileged accounts are often shared: for example, root, sa or Administrator by system administrators.




signatory


An Approved Party and the GSA who signs and is bound by the terms and conditions of this document.










A party that opts into and agrees to be bound by the EAP Rules according to the specified procedures.


A party that opts into and agrees to be bound by the AAS-defined agreements according to the specified procedures.








A party that opts into and agrees to be bound by the IAEG Rules according to the specified procedures.
















signer























Entity identified as subject in the certificate whose public key verifies a digital signature for a message or a record.















simple authentication and security layer





















SASL

















simple object access protocol (SOAP)





















A Web Service Consumer (WSC) implementing the client-side of the ID-WSF Single Sign-On Service [LibertyAuthn].

















simple role


































A simple role is a collection of entitlements defined within the context of a single system. Roles are used to simplify security administration on systems and applications, by encapsulating popular sets of entitlements and assigning them

as packages, rather than individually, to users.




single sign-on (SSO)









once-only assertion / authentication per session, per credential.












From a Principal's perspective, single sign-on encompasses the capability to authenticate with some system entity ó in the Liberty context, an Identity Provider ó and have that authentication honored by other system entities, termed

Service Providers in the Liberty context.

Note that upon authenticating with an Identity Provider, the Identity Provider typically establishes and maintains some notion of local session state between itself and the Principal's user agent. Service Providers may also maintain

their own distinct local session state with a Principal's user agent.













Single sign-on (SSO) is any technology that replaces multiple, independent system or application login prompts with a consolidated authentication process, so that users don't have to repeatedly sign in.




single sign-on service (SSO service, SSOS)





















An ID-WSF-based service providing WSCs a means of obtaining ID-FF authentication assertions [LibertyAuthn].

















single-use password









A password that can only be used once, in sequence from a list, with no time-based limitations. Also known as Sequence Synchronisation. For example; a code printed on a "˜scratchie', as a password or for ticket validation. An initial

password on a new account would also qualify.





























site



















An informal term for an administrative domain in geographical or DNS name sense. It may refer to a particular geographical or topological portion of an administrative domain, or it may encompass multiple administrative domains, as may be

the case at an ASP site.



















smart card









A plastic card that contains a small computer chip. It may be contactless (RF), may have a visible computer chip (contacts), a magnetic stripe and/or a bar-code, to electronically store and process credentials. It may also have a photo

on it and/or in it, and other printed information on it. It may be used for personal identification, physical access to facilities such as buildings and/or logical access to applications. The inclusion of all three aspects (ID, physical

and logical access) in the one token is a convenience for issuing and management, but it is an inconvenience to the Identity if lost or misplaced and thus it may represent a greater overall security risk.

























A smart card is a credit-card-sized device that houses an integrated circuit, with some processing and storage capabilities. Smart cards are often used to carry a user's private encryption key and one or more certificates (the user's

signed public key or other keys).

Smart cards are useful for authentication since they constitute an authentication factor (something the user has) and they often require a second factor (e.g., user typing in a password) to be activated, which is a second factor

(something the user knows).




SOAP header block





















A [SOAPv1.2] term meaning: An [element] used to delimit data that logically constitutes a single computational unit within the SOAP header. In [SOAPv1.1] these are known as simply SOAP headers, or simply headers. Liberty specifications borrow the SOAPv1.2 terminology.

















SOAP node





















A [SOAPv1.2] term describing system entities who are parties to SOAP-based message exchanges that are, for purposes of this specification, also the ultimate destination of the exchanged messages, i.e., SOAP endpoints. In [SOAPv1.1], SOAP nodes are referred to as SOAP endpoints, or simply endpoints. The Liberty specifications borrow the SOAPv1.2 terminology.

















SOAP-bound ID-* message





















A SOAP message conveying ID-WSF and perhaps ID-SIS header blocks and conveying either an ordinary ID-* message or an ID-* fault message. After being bound to SOAP, the resultant composite messages are referred to as an Ordinary SOAP-

bound ID-* Message and a SOAP-bound ID-* Fault Message, respectively.

















soft certificate









a digital certificate where the private key is created in such a manner that it can be easily copied or shared. This makes it insecure. Also see Hard Certificate.





























software token


































A software token is the same as a hardware token except that it is installed as a piece of software on a device that the user already has -- such as a cell phone, PDA or the user's personal computer.




specified service












The electronic trust service which for the purposes of an EAP assessment is the subject of criteria set out in a particular SAC, or in an application for assessment, in a grant of an approval or other similar usage as may be found in

various EAP documentation.


The electronic trust service which, for the purposes of an AAS assessment, is the subject of criteria set out in a particular SAC, or in an application for assessment, in a grant of an approval or other similar usage as may be found in

various IAWG documentation.








The electronic trust service which, for the purposes of an IAEG assessment, is the subject of criteria set out in a particular SAC, or in an application for assessment, in a grant of an approval or other similar usage as may be found in

various IAEG documentation.
















sponsor























A Sponsor is the person that has authorized the issuance of a certificate to a specific individual or organization. For example, an employee's manager may be the Sponsor of a certificate to be issued to the employee. In the

case of a certificate for a citizen or a commercial enterprise, the Sponsor could be the manager of the business unit that has a requirement to communicate with that Entity. The Sponsor might suggest an appropriate DN for the certificate

and will be responsible for either supplying or confirming the certificate attribute details to the RA. The Sponsor may also be responsible for informing the CA or RA if the business unit's relationship with the Subscriber is terminated

or has changed such that the certificate should be revoked or updated.















spoof









the process of faking or attacking a credential; to reproduce a credential without proper authority.





























SSL - Secure Socket Layer protocol









The SSL protocol uses private and public keys to authenticate a service provider's web server to the browser. The protocol also creates encryption keys to protect the integrity and confidentiality of information at it traverses the

Internet. The server generates a short-term public/private key pair using a long term private key belonging to the server. The server periodically changes its short term private key, discarding any previous versions and the client uses

the short-term public key to encrypt a symmetric key for use during the session. This renders records of previous sessions un-decryptable. Sometimes referred to as providing "perfect forward secrecy". A Hardware Security Module (HSM) is

often used both to securely store the private keys and to accelerate the encryption-decryption process.





























standard



































A published statement on a topic specifying the characteristics, usually measurable, that must be satisfied or achieved to comply with the standard.


A published statement on a topic specifying characteristics, usually measurable, that must be

satisfied or achieved in order to comply with the standard.

static SoD policy


































A static segregation of duties policy is one that prevents one login account or user profile from having two or more conflicting entitlements. These entitlements may be thought of as a toxic combination. For example, the same user may

not both authorize an expense and print the cheque to pay for it.




step up authentication









To transact at a higher assurance level during an already authenticated session may require a stronger credential; that is, to step up the credential strength by submitting an additional or stronger credential. It is a design decision

that favours ease of user access over strongest possible authentication at initial logon time.





























strength








Strength is an attribute of an identity within an interaction which gives a technical basis upon which to believe that the specified entity is represented by the identity.





The technical and procedural basis on which to believe that a particular process or data attribute is accurate.

























strong authentication


































Strong authentication refers to an authentication process which is difficult to simulate. It may be based on use of multiple authentication factors or use of a single but hard-to-spoof authentication factor.




subject




The consumer of a digital service (a digital representation of a natural or juristic person, persona, group, organization, software service or device) described through claims.








An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.

The person that is identified in a particular credential and that can be authenticated and vouched for by an Identity Provider.

An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.




An individual to whom Credential Service Provider issues a Credential.

A principal in the context of a security domain. SAML assertions make declarations about subjects.



An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.
















subject access request (Data Protection Act)
































Under the Data Protection Act, individuals can ask to see the information about themselves that is held on computer and in some paper records. If an individual wants to exercise this subject access right, they should write to the person

or organisation that they believe is processing the data.

A subject access request must be made in writing and must be accompanied by the appropriate fee. In most cases, the maximum fee will be £10, but this can vary, particularly if the information requested is for health or educational

records. If a subject access request is made to a credit reference agency for financial information (ie a credit file), then the fee is £2, and the information must be provided within seven working days. A request must include enough

information to enable the person or organisation to whom the subject is writing to satisfy itself as to their identity and to find the information.

A reply must be received within 40 days as long as the necessary fee has been paid. A data controller should act promptly in requesting the fee or any further information necessary to fulfil the request. If a data controller is not

processing personal information of which this individual is the data subject, the data controller must reply saying so.






subject acting as (SAA)




An SAA is a subject that acts on behalf of another subject. One example would be a person who is given a "power of attorney" by another person. Similarly, government officials sometimes act on behalf of specific citizens. Another common

case is that of digital services that act on behalf of other subjects.


































subject CA























In the context of a particular CA certificate, the subject CA is the CA whose public key is certified in the certificate. See Issuing CA.















subject of a certificate























The person, process, or device named in a certificate as the subscriber.















subscriber












A party that has entered into an agreement to use an electronic trust service. A subscriber and a subject can be the same entity.


A party that has entered into an agreement to use an electronic trust service. A subscriber and a subject can be the same entity.








A party that has entered into an agreement to use an electronic trust service. A subscriber and a subject can be the same entity.

A person who (1) is the subject named or identified in a certificate issued to such person, and (2) holds a private key that corresponds to a public key listed in that certificate.















subscriber agreement























An agreement between a subscriber and either a CA, RA, or both that establishes the right and obligations of the parties regarding the issuance and management of certificates.















substantive claim




A claim produced by a claims provider "“ as opposed to a primordial claim.


































support analyst


































An IT support analyst is a user with special privileges, that allow him to assist other users, for example by resetting their forgotten passwords.




suspend a certificate























To temporarily suspend the operational period of a certificate for a specified time period.















symmetric authentication method











A method of authentication in which both entities share common authentication information.



























system


System is a generic term used for briefness to mean either a major application or a general support System.




































system entity, entity



















An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality.


An active element of a computer/network system. For example, an automated process or set of processes, a subsystem, a person or group of persons that incorporates a distinct set of functionality [SAMLGloss2].

















system of records notice


The Privacy Act of 1974 (5 U.S.C. § 552a, the Act) requires agencies to inform the public of the existence of Systems of Records containing personal information, to give individuals access to records about themselves in a System of

Records, and to manage those records in a way to ensure fairness to individuals in Agency programs. For the Privacy Act to work effectively, it is imperative that each Agency properly maintain its Systems of Records and ensure that the

public is adequately informed about the Systems of Records the Agency maintains and the uses that are being made of the records in those Systems. Therefore, agencies must periodically review their Systems of Records and the published

notices that describe them to ensure that they are accurate and complete. OMB Circular A-130, "Management of Federal Information Resources," (61 Fed. Reg. 6428, Feb. 20, 1996) requires agencies to conduct periodic reviews, and this

memorandum satisfies that requirement for calendar year FY 1999. Agencies should continue to conduct reviews in accordance with the schedule in Appendix I of the Circular.




































target connector


































A connector is a piece of software used to integrate an identity management system with a given type of target system.




target of evaluation























The Common Criteria term for the information technology product or system (including its guidance documentation) for which security requirements are being specified in a Protection Profile (PP) or Security Target (ST).















target platform


































A target platform is a type of target system. For example, it might be an operating system (e.g., Unix, Windows), a type of database (e.g., Oracle, Microsoft SQL) or a type of application (e.g., SAP R/3, PeopleSoft). An identity

management system typically needs a different connector for each type of integrated target platform.




target system


































Systems and applications where information about users resides and which are integrated into an identity management infrastructure are called target systems. They may include directories, operating systems, databases, application

programs, mainframes, e-mail systems, etc.




target system administrator


































A system administrator is a user with absolute control over a target system. The system administrator may install any or all software on the managed system, can create or delete other users on that system, etc.




taxonomies of identity





Digital identity attributes"”or data"”exist within the context of ontologies. A simple example of a taxonomy is "A cat is a kind of animal." An entity represented in this ontology as a "cat" is therefore invariably also considered an

"animal." In establishing the contextual relationship of identity attributes to one another, taxonomies are able to represent identity in terms of pre-defined structures. This in turn allows computer applications to process identity

attributes in a reliable and useful manner. XML (eXtensible Markup Language) has become a de facto standard for the abstract description of structured data.


Taxonomies inevitably reflect culturally and personally relative world views. Consider two possible elaborations of the above example:


"A cat is a kind of animal. A domestic cat is a kind of cat and is a pet."

"A cat is a kind of animal. A domestic cat is a kind of cat and is edible by humans."

Someone searching the first taxonomy for pets would find "domestic cat," whereas a search of the second taxonomy for foodstuffs would yield the same result! We can see that while each taxonomy is useful within a particular cultural

context or set of contexts, neither represents a universally valid point of view on domestic cats.


The development of digital identity network solutions that can interoperate taxonomically-diverse representations of digital identity is a contemporary challenge. Free-tagging has emerged recently as an effective way of circumventing

this challenge (to date, primarily with application to the identity of digital entities such as bookmarks and photos) by effectively flattening identity attributes into a single, unstructured layer. However, the organic integration of

the benefits of both structured and fluid approaches to identity attribute management remains elusive.

































technical policy




A set of technical parameters constraining the behavior of a digital service and limited to the present tense.


































telephone preference service and fax preference service (Data Protection Act)
































Similar schemes to the MPS exist for the Telephone Preference Service (TPS) and Fax Preference Service (FPS) which were set up on behalf of the Director General of Telecommunications. Organisations that engage in unsolicited direct

marketing by telephone and fax must not contact individuals who have registered with these opt- out schemes. Registration with the TPS and FPS can therefore help people to reduce the number of unwanted telephone sales calls or marketing

faxes they receive.






terminal object











An object having a binding to a terminal device, such as a

Subscriber Identity Module (SIM) card.



























termination


































All users eventually leave an organization. Likewise, customers may terminate their relationship with vendors. Generically, these events are called termination.




the approved technology provider list


A list of software products that have demonstrated basic interoperability in the E-Authentication Interoperability Lab and are approved by the E-Authentication Initiative for use in the Federation.




































third party































An entity that is not affiliated with the entity that collects personal information or any affiliated entity not covered by the entity's privacy notice.







third party beneficiary























An entity claiming a right or benefit arising from a contract between other parties, in a case where the entity is not a party to the contract.















threat












An adversary that is motivated and capable to violate the security of a target and has the capability to mount attacks that will exploit the target's vulnerabilities.


An adversary that is motivated and capable to violate the security of a target and has the capability to mount attacks that will exploit the target's vulnerabilities.








An adversary that is motivated and capable to violate the security of a target and has the capability to mount attacks that will exploit the target's vulnerabilities.
















time stamp























To create a notation that indicates, at least, the correct date and time of an action, and the identity of the person that created the notation; or such a notation appended, attached or referenced.















time-out



















A period of time after which some condition becomes true if some event has not occurred. For example, a session that is terminated because its state has been inactive for a specified period of time is said to "time out".



















time-stamping service























A time-stamping service provides a strong and verifiable cryptographic statement that a specific digital record existed at a specific moment in time.















tokens


Something that the claimant (End-User) possesses and controls (typically a key or Password) used to authenticate the claimant's identity.




A token is any hardware or software that contains credentials related to attributes.



A thing, a device, a physical item or software used to store attributes and credentials. Sometimes incorrectly used to describe the credential itself. For example; a drivers licence, a birth certificate, a door key, a scratchie, a

plastic card, a smart-card, a OTP calculator, a digital certificate, a mobile phone or PDA.



Something that a claimant possesses and controls (typically a key or password)

that is used to authenticate the claimant's identity.

Something that a person possess and controls (either a unique physical object or secret

data or information) that is used to authenticate his or her identity (such as a secret password,

PIN, cryptographic key, ATM card, USB token, etc.). Tokens are physical devices or electronic records designed for use in authentication systems and/or to hold authenticating information. These include smart cards and ATM cards as well

as digital certificates. Also called an authenticator.

Something that a claimant possesses and controls (typically a key or password) that is used to authenticate the claimant's identity.







In Liberty, a security token is a collection of security-related information that is used to represent and substantiate a claim.

Outside of Liberty, the term "security token" often refers to hardware-based devices, e.g., so-called "token cards." One should not confuse the latter and the former definitions. However, it is possible for some given authentication

mechanism to employ token cards in the process of authentication.

See security token.

Something that a claimant possesses and controls (typically a key or password) that is used to authenticate the claimant's identity.
















tort























A civil wrong for which a remedy may be obtained, usually but not always in the form of damages.















trail











A "transport entity" which consists of an associated pair of

"unidirectional trails" capable of simultaneously transferring

information in opposite directions between their respective inputs and outputs.



























transaction





































An electronic communication among two or more parties (e.g., business, negotiations, activities, etc.) of a discrete unit of work brought to the mutually agreed conclusion or settlement. The parties have an obligation to play their parts

during the transactions and honor their commitments after the transaction.

transaction identifier (TID)


Mechanism for tracking transactions across various components in the architecture. TIDs will be generated by the Portal, and will be passed with the End-User, via query string, as they are redirected from (1) the Portal to CSs, (2) from

CSs to AAs, and, (3) once generated by the Portal, to the Portal by AAs or CSs. TID is expected in Architecture 1.1.




































transactional certificate























A certificate for a specific transaction incorporating by reference one or more digital signatures.















transient pseudonym



















A privacy-preserving identifier assigned by an identity provider to identify a principal to a given relying party for a relatively short period of time that need not span multiple sessions.



















transmission media layer network











A "layer network" which may be media dependent and which is concerned with the transfer of information between transmission media layer network "access points" in support of one or more "path layer networks."



























transparent password synchronization


































Transparent password synchronization works by intercepting native password changes on an existing system or application and automatically forwarding the user's chosen new password to other systems. It is called transparent since the user

is not presented with any new user interface.

Transparent password synchronization typically must enforce a multi-system password policy in addition to the native policy of the system where synchronization is initiated. This policy should be at least as strong as the policies in

each of the target applications.




transport











The functional process of transferring information between

different locations.



























transport entity











An architectural component which transfers information between its inputs and outputs within a layer network.



























transport layer security protocol (TLS)





















An evolution of the SSL protocol. The TLS protocol provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. See [RFC4346].

















transport network











The functional resources of the network which conveys user information between locations.



























trust



an instance of a relationship between two or more entities, in which an entity assumes that another entity will act as authorised/expected. The risk/trust relationship depends on who you are and what you want to do at any instance. The

degrees of separation between parties can decrease the trust (increase the risk). They trust you, so I (kinda) trust you (for now) to do (only) this.



Trust is a quality of a relationship between two or more entities, in which an entity assumes that another entity in the relationship will behave in a fashion agreed beforehand, and in which the first entity is willing to act on this

assumption.


Trust is an evaluation, by an entity, of the reliability of an identity when the identity is involved in interactions. [See also: Trust is an Emotion.] The level of trust is typically based on the technical strength of the identity, but it also includes the evaluating entity's subjective considerations (e.g. feelings) of the reliability of the entity the identity represents. Trust is at least partially transitive (as in the case of notaries).

an instance of a relationship between two or more entities, in which an entity assumes that another entity will act as authorised/expected. The risk/trust relationship depends on who you are and what you want to do at any instance. The

degrees of separation between parties can decrease the trust (increase the risk). They trust you, so I (kinda) trust you (for now) to do (only) this. Also see Assurance Framework.

a. A measure of reliance on the character, ability, strength, or truth of someone or something.

b. Confidence that an entity will behave in a particular way with respect to certain activities (entity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y behaving in a particular way with

respect to the activities.)

c. A reasonable level of confidence that an entity will be have in a certain manner in a given context.

d. A subjective assessment. An instance of a relationship between two or more entities, in which an entity assumes that another entity will act as authorized/expected.

e. Trust is an evaluation, by an entity, of the reliability of an identity when the identity is involved in interactions.

i. A measure of reliance on the character, ability, strength, or truth of someone or something.

ii. Confidence that an entity will behave in a particular way with respect to certain activities (entity X is said to trust entity Y for a set of activities if and only if entity X

relies upon entity Y behaving in a particular way with respect

to the activities.)

iii. A reasonable level of confidence that an entity will behave in a certain manner in a given context.

iv. A subjective assessment. An instance of a relationship between two or more entities, in which an entity assumes that another entity will act as authorised/expected.

v. Trust is an evaluation, by an entity, of the reliability of an identity when the identity is involved in interactions.













the firm belief in the reliability and truth of information; or in the competence of an entity to act appropriately, within a specified context.


The firm belief in the reliability and truth of information or in the ability and disposition of an entity to act appropriately, within a specified context.

The firm belief in the reliability and truth of information or in the ability and disposition of an entity to act appropriately, within a specified context.

the firm belief in the reliability and truth of information; or in the competence of an entity to act appropriately, within a specified context.










trust circle





















See circle of trust.

















trust framework












The body of work that collectively defines the industry-led self regulatory framework for electronic trust services in the United States, as operated by the EAP. The trust framework includes descriptions of criteria, rules, procedures,

processes, and other documents.

























The underlying structure of standards and policies that defines the rights and responsibilities of the various participants in the Identity Ecosystem, specifies the rules that govern their participation, outlines the processes and

procedures to provide assurance, and provides the

enforcement mechanisms to ensure compliance.

trust framework provider















Creates a trust framework with a set of minimum practices that must be upheld in order to be considered trusted within the framework, and evaluates identity provider practices against this framework.























trust level
























A consistent, quantifiable measure of reliance on the character, ability, strength, or truth of someone or something.


A consistent, quantifiable measure of reliance on the character, ability, strength, or truth of someone or something.












trust level











A consistent, quantifiable measure of reliance on the character, ability, strength, or truth of someone or something.
















A consistent, quantifiable measure of reliance on the character, ability, strength, or truth of someone or something.

A consistent, quantifiable measure of reliance on the character, ability, strength, or truth of someone or something.










trust list


List of Certification Authorities that an application trusts.




































trustmark





































A badge, seal, image or logo that indicates a product, device, or service provider has met the

requirements of the Identity Ecosystem, as determined by an accreditation authority. To

maintain trustmark integrity, the trustmark itself must be resistant to tampering and forgery;

participants should be able to both visually and electronically validate its authenticity. The

trustmark provides a visible symbol to serve as an aid for individuals and organizations to

make informed choices about the providers and identity media they use.

trust relationship


































A trust relationship is a codified arrangement between two domains where users and/or services exist. One domain (A) trusts the other (B) to identify, authenticate and authorizer B's users to access A's resources.

Simple trust relationships are two-way, while complex ones may have groups of multi-way trust (i.e., any organization in a group trusts any other to make assertions about its own users).




trusted authority





















In Liberty, a Trusted Third Party (TTP) which issues and vouches for assertions, otherwise known as an Identity Provider.

















trusted but vulnerable zone











From the viewpoint of a NGN provider a security zone

where the network elements/ devices are operated (provisioned and maintained) by the NGN provider. The equipment may be under the control by either the customer/subscriber or the NGN provider. In addition, the equipment may be located

within or outside the NGN provider's domain. They communicate with elements both in

the trusted zone and with elements in the un-trusted zone, which is why they are "vulnerable." Their major security function is to protect the NEs in the trusted zone from the

security attacks originated in the un-trusted zone in a failsafe manner.



























trusted entity











An entity that can violate a security policy, either by performing actions which it is not supposed to do, or by failing to perform actions which it is supposed to do.



























trusted identity information











Network-generated user public identity information.



























trusted source









A repository of identity information that can be relied upon for its accuracy due to the processes and security surrounding its creation and maintenance.





























trusted third party (TTP)






A trusted third party is an entity trusted by multiple other entities within a specific context and which is alien to their internal relationship.





A security authority or its agent that is trusted with respect to some security relevant activities (in the context of a security policy).










In general, a security authority or its agent, trusted by other entities with respect to security-related activities. In the context of Liberty, these other entities are, for example,

Principals and Service Providers, and the trusted third party is typically the Identity Provider(s) involved in the particular interaction of interest.



A security authority or its agent that is trusted with respect to some security relevant activities (in the context of a security policy).


In the context of a security policy, a security authority or its agent that is trusted with respect to some security relevant activities.

In the context of a security policy, a security authority or its agent that is trusted with respect to some security relevant activities.

A security authority or its agent that is trusted with respect to some security relevant activities (in the context of a security policy).










trusted zone











From the viewpoint of a NGN provider a security domain

where a NGN provider's network elements and systems reside and never communicate directly with customer equipment. The common characteristics of NGN network

elements in this domain are that they are under the full control of the related NGN provider, are located in the NGN provider premises (which provides physical security), and they communicate only with elements in the "trusted" domain

and with elements in the "trusted-but vulnerable" domain.



























trustworthiness



































Security decision with respect to extended investigations to determine and confirm qualifications, and suitability to perform specific tasks and responsibilities.



trustworthy system























Computer hardware, software, and procedures that:

are reasonably secure from intrusion and misuse;

provide a reasonably reliable level of availability, reliability, and correct operation;

are reasonably suited to performing their intended functions; and

adhere to generally accepted security principles.















typing cadence


































The time interval between keystrokes when typing a particular phrase can be used to differentiate between different people typing the same phrase.




ultimate SOAP receiver



















The SOAP receiver that is a final destination of a SOAP message. It is responsible for processing the contents of the SOAP body and any SOAP header blocks targeted at it. In some circumstances, a SOAP message might not reach an ultimate

SOAP receiver, for example because of a problem at a SOAP intermediary. An ultimate SOAP receiver cannot also be a SOAP intermediary for the same SOAP message.



















unanimous identity








An unanonymous identity is an identity that is linked to an entity in a way that the linkage can easily be discovered.






























uniform resource identifier (URI)



















A compact string of characters for identifying an abstract or physical resource. URIs are the universal addressing mechanism for resources on the World Wide Web. Uniform Resource Locators (URLs) are a subset of URIs that use an

addressing scheme tied to the resource's primary access mechanism, for example, their network "location".


A compact string of characters for identifying an abstract or physical resource. [RFC3986] defines the generic syntax of URIs. URNs and URLs are proper subsets of URIs.

















uniform resource locator (URL)





















URLs identify resources via a representation of their primary access mechanism (e.g., their network location) rather than identifying the resource by name or by some other attributes of that resource [RFC3986]. URLs are a proper subset of URIs.

















uniform resource name (URN)





















Persistent, location-independent, resource names with delegatable sub-namespaces, termed Uniform Resource Name (URN) Namespaces [RFC2141]. Liberty's URN Namespace is defined in [RFC3622]. URNs are a proper subset of URIs.

















unique identity






A unique identity is a partial identity in which at least a part of the attributes are identifiers.
































untrusted zone











From the viewpoint of a NGN provider a zone that includes

all network elements of customer networks or possibly peer networks or other NGN provider zones outside

of the original domain, which are connected to the NGN provider's border elements.



























URI reference



















A URI that is allowed to have an appended number sign (#) and fragment identifier. Fragment identifiers address particular locations or regions within the identified resource.



















usage directives




















Directives that specify the manner in which attributes can be used, stored, and disclosed.


















user

























Specifically, an RFID Application User, i.e., a person (or other entity, such as a legal entity) who directly interacts with one or more components of an RFID Application (e.g., back-end system, communications infrastructure, RFID Tag)

for the purposes of operating an RFID Application or exercising one or more of its functions.

Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network.

Any entity that makes use of a resource, e.g., system, equipment, terminal, process, application, or corporate network.

Any entity that makes use of a resource e.g. system, equipment, terminal, process, application, or corporate network.


A person who purchases an object with built-in or attached RFID tags or makes use of the service based on an object with built-in or attached RFID tag.




Users are people whose access to systems and identity information must be managed.




user agent





















Software that a "natural person" interacts with directly. A user agent typically implements a user interface. A typical user agent is a web browser. A more specialized sort of user agent is the Liberty-enabled User Agent or Device

(LUAD).

















user agreement


















The agreement between the Credential Service Provider and the Subject with respect to (a) the use and protection of the Credential, and (b) the transmission to, and use by, Relying Party of the Subject's Assertion and/or Personal

Information, in substantially the form attached as Schedule G to this Agreement.




















user creation


































When users join an organization, they are normally granted access to systems and applications. This is called user creation.




user identifiers











Identifiers that represent users in their interactions with other parties. Users may present their identifiers verbally, on paper, on plastic cards, or in any other appropriate manner. Electronic user identifiers are electronically

presented

over data communication channels by user-operated computing devices (client devices) such as PCs, laptops, mobile phones, and smartcards.



























user identity











A code or string uniquely identifying a user across a multiuser, multi-service infrastructure.



























user interface





















The controls (such as menus, buttons, prompts, etc.) and mechanisms (such as selection and focus) provided by, e.g., a user agent.

















user profile


































The set of login accounts, identity attributes and security entitlements associated with a single (human) user.




user provisioning


































A user provisioning system is shared IT infrastructure which is used to externalize the management of users, identity attributes and entitlements from individual systems and applications.

User provisioning is intended to make the creation, management and deactivation of login accounts and other user objects, which are spread across multiple systems, faster, cheaper and more reliable. This is done by automating and

codifying business processes such as onboarding and termination and connecting these processes to multiple systems.

User provisioning systems work by automating one or more processes:

  • Identity synchronization:

Detect changes to personal data, such as phone numbers or department codes, on one system and automatically make matching changes on other systems for the same user.

  • Auto-provisioning:

Detect new user records on a system of record (such as HR) and automatically provision those users with appropriate access on other systems and applications.

  • Auto-deactivation:

Detect deleted or deactivated users on an authoritative system and automatically deactivate those users on all other systems and applications.

  • Self-service requests:

Enable users to update their own profiles (e.g., new home phone number) and to request new entitlements (e.g., access to an application or share).

  • Delegated administration:

Enable managers, application owners and other stake-holders to modify users and entitlements within their scope of authority.

  • Authorization workflow:

Validate all proposed changes, regardless of their origin and invite business stake-holders to approve them before they are applied to integrated systems and applications.

  • Consolidated reporting:

Provide data about what users have what entitlements, what accounts are dormant or orphaned, change history, etc. across multiple systems and applications.

As well, a user provisioning system must be able to connect these processes to systems and applications, using connectors that can:

  • List existing accounts and groups.
  • Create new and delete existing accounts.
  • Read and write identity attributes associated with a user object.
  • Read and set flags, such as "account enabled/disabled," "account locked," and "intruder lockout."
  • Change the login ID of an existing account (rename user).
  • Read a user's group memberships.
  • Read a list of a group's member users.
  • Add an account to or remove an account from a group.
  • Create, delete and set the attributes of a group.
  • Move a user between directory organizational units (OUs).




User/End User/Subject/Data Subject


Any citizen, Government employee, contractor, or business that authenticates to an AA using a Credential issued by a CS.

An Identity where the identifier of the identity is the public part of a paired Identity assertion. A user may have several identities / usernames / user-ids / logon-ids / sign-ons.

a natural person who is represented by a subject.



An end point of communications. Also, an intelligent agent (e.g., a human).

A user is a human entity who can only access the network via a client device.

An entity represented or existing in the digital realm which is being described or dealt with.

An Identity where the identifier of the identity is the public part of a paired Identity assertion. A user may have several identities / usernames / user-ids / logon-ids / sign-ons. See Identity and Authentication.

a. Includes end user, person, subscriber, system, equipment, terminal (e.g. FAX, PC), (functional) entity, process, application, provider, or corporate network.

b. An identity where the identifier of the identity is the public part of a paired Identity assertion.

i. Includes end user, person, subscriber, system, equipment, terminal (e.g., FAX, PC), (functional) entity, process, application, provider, or corporate network.

ii. An Identity where the identifier of the identity is the public part of a paired Identity assertion.



An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.

Registers his or her identity information with one or more identity providers and controls how that information is shared with service providers.




A natural person who makes use of resources for application

purposes (as opposed to system management purposes; see

Administrator, User).

A natural person who makes use of a system and its resources

for any purpose [SAMLAgree].



An entity that is able to use an electronic trust service subject to agreement with an associated subscriber. A subject and a subscriber can be the same entity.

An Entity that uses the keys and certificates created within the PKI for purposes other than the management of the aforementioned keys and certificates. An End-Entity may be a Subscriber, a Relying Party, a device, or an

application.

Any entity that makes use of a resource e.g. system, equipment, terminal, process, application, or corporate network.














user-centric




Structured so as to allow users to conceptualize, enumerate and control their relationships with other parties, including the flow of information.






















An identity management (IdM) system that provides the user with the ability to control and enforce various privacy and security policies governing the exchange of identity information, including the users personally identifiable

information (PII), between entities.

An identity management (IdM) system that provides the user with the ability to control and enforce various privacy and security policies governing the exchange of identity information, including the users personally identifiable

information (PII), between entities.

An IdM system that can provide the (IdM) user with the ability to control and enforce various privacy and security policies governing the exchange of identity information, including PII, between entities.










user-centric identity















Systems where users, rather than service providers, control their

identity credentials.









An IdM system that can provide the (IdM) user with the ability to control and enforce various privacy and security policies governing the exchange of identity information, including PII, between entities.














valid certificate























A certificate that (a) a certification authority has issued, and (b) has been accepted by the subscriber listed in it; or

A transactional certificate that (a) a certification authority has issued, and (b) has been accepted by the subscriber listed in it, but limited to the digital signatures created pursuant to the specific transaction to which the

transactional certificate relates.















validation



































The process of demonstrating that the system under consideration meets in all respects the specification of that system. [INCITS/M1-040211]



verification









The process of confirming a claimed Identity. For example; any one-to-one precise matching of an identity's registered credentials, such as in a logon or any non-AFIS process. Usually performed in real-time, with a yes/no outcome.

Contrasts with Identification.

The process of confirming a claimed Identity. For example; any one-to-one precise matching of an identity's registered credentials, such as in a logon or any non-AFIS process. Usually performed in real-time, with a yes/no outcome.

The process of confirming a claimed Identity. For example; any one-to-one precise matching of an identity's registered credentials, such as in a logon or any non-AFIS process. Usually performed in real-time, with a yes/no outcome.

Establishment of the truth or correctness of something by investigation of evidence.


Establishment of the truth or correctness of something by investigation of evidence.








Establishment of the truth or correctness of something by investigation of evidence.


The process of confirming a claimed Identity.


The process or instance of establishing the authenticity of something.

The process or instance of establishing the authenticity of something.

The process of confirming a claimed Identity.







See "Identity Verification".



verification authentication information (verification AI)











Information used by a verifier to verify an identity claimed through exchange AI.



























verification token

Used in the context of this document, is synonymous with password, pass phrase or PIN.? It enables the holder of an electronic identifier to confirm that s/he is the person to whom the identifier was issued.





































verifier











An entity that is or represents the entity requiring an authenticated identity. A verifier includes the functions necessary for engaging in authentication exchanges.













An entity that validates identity information.


An entity that verifies and validates identity information.

An entity that verifies and validates identity information.

An entity that validates identity information.










verify a digital signature and message integrity























In relation to a given digital signature, message, and public key, to determine accurately:

that the digital signature was created during the operational period of a valid certificate by the private key corresponding to the public key listed in the certificate; and

the message has not been altered since its digital signature was created.















veto power


































Veto power is a right assigned to authorizers in an approvals process whereby rejection of a change request by the authorizer who has veto power cancels the request, regardless of any approvals previously received from other authorizers.




virtual directory


































A virtual directory is an application that exposes a consolidated view of multiple physical directories over an LDAP interface. Consumers of the directory information connect to the virtual directory's LDAP service, and "behind the

scenes" requests for information and updates to the directory are sent to one or more physical directories, where the actual information resides. Virtual directories enable organizations to create a consolidated view of information that

- for legal or technical reasons - cannot be consolidated into a single physical copy.




virtual group


































On some systems, management of membership in large groups does not scale. This may be due to technical problems with the underlying implementation. For example, on Sun or IBM LDAP directories, groups should not have more than a few

thousand members, or else performance will suffer.

In these cases, it may be preferable to create a "virtual" group, whose membership is not explicitly defined. Instead, membership in a virtual group is calculated at runtime, by evaluating a logical expression based on identity

attributes. For example, users may be said to belong to a group "Dallas-Managers" if their location attribute is equal to "DFW" and their position attribute is set to "Manager."

In other words, virtual groups are named expressions that evaluate to boolean true for users that are considered to be members of a group.




vista credential provider


































On Vista workstations, a credential provider infrastructure replaces the GINA infrastructure from previous versions of Windows. A credential provider may be installed to provide the same functionality as a GINA extension.




voice print


































A voice print is a form of biometric authentication where the characteristic being measured is the timbre, tone, speed, volume, etc. of the user's voice, typically speaking the same phrases at both enrollment and authentication times.




voluntary





































Acting without compulsion or obligation.

web access management


































A web access management (also web single sign-on or WebSSO) system authenticates users as they access one or more web applications and may limit what URLs, application features or data users may access. This is normally accomplished by

diverting user web browsers from "native" application login pages to the WebSSO authentication page and then diverting users back to application pages, using a cookie installed in the web browser to track user identity, authentication

state and assigned entitlements.

One of the advantages of WebSSO is that multiple, separate login pages are replaced by a single, shared authentication process, so the frequency of user logins is reduced.




web beacon































Web beacons, also known as Web bugs, are small strings of code that provide a method for delivering a graphic image on a Web page or in an e-mail message for the purpose of transferring data. Businesses use Web beacons for many purposes,

including site traffic reporting, unique visitor counts, advertising and e-mail auditing and reporting, and personalization. For example, a Web beacon can gather a user's IP address, collect the referrer, and track the sites visited by

users.







web proxy


































A web proxy acts on behalf of one or more web browsers, fetching web pages for users and possibly adding capabilities such as caching (to reduce an organization's bandwidth usage), filtering (to block unwanted content) and monitoring (to

record user activity).

Web proxies act on behalf of one or more users.




web server agent


































An agent installed on a web server may be used to implement a WebSSO system by injecting user identification, authentication and authorization data into the requests sent from a user's browser to the web server, more web applications,

may modify the HTTP or HTTPS requests (for instance, inserting credentials), and requests web pages on behalf of the user.

The server agent architecture has the advantage of not requiring new hardware to be deployed when implementing a WebSSO system.




web service









A standard means of web-based application to application communication, running on a variety of platforms and/or frameworks, sharing metadata, often publicly available to calling software. WS-Policy describes the capabilities and

requirements, WS-Transfer describes the end-point resources, WSDL describes the messaging, WS-Security and WS-Trust describe how to protect the communications, XML schema describes the contents, SOAP (protocol) describes the use of XML

and HTTP as a messaging protocol.












1. (1) Generically, a service defined in terms of an XML-based protocol, typically transported over SOAP, and/or a service whose instances, and possibly data objects managed therein, are concisely addressable via URIs. Such a generic web

service (gWS) may be defined in various standardized and/or proprietary contexts.

Various organizations, formal or ad-hoc, have their own particular definitions for this term. For example, the W3C's definition (see ) is:

There are many things that might be called "Web services" in the world at large. However, for the purpose of this Working Group and this architecture, and without prejudice toward other definitions, we will use the following definition:

A Web service is a software system designed to support interoperable machine-to-machine interaction over a network. It has an interface described in a machine-processable format (specifically WSDL). Other systems interact with the Web

service in a manner prescribed by its description using SOAP-messages, typically conveyed using HTTP with an XML serialization in conjunction with other Web-related standards.

2. (2) As specifically used in Liberty specifications, usually in terms of WSCs and WSPs, it means a web service that's defined in terms of the ID-* "stack", and thus utilizes [LibertySOAPBinding], [LibertySecMech], and is "discoverable" [LibertyDisco]. See also identity web service.

Note that Liberty Identity Web Services also meets the W3C definition.

















web service consumer (WSC)





















A role donned by a system entity when it makes a request to a web service.

















web service provider (WSP)





















A role donned by a system entity when it provides a web service.

















web services description language (WSDL)





















A means to describe the interface of a Web service. See [WSDLv1.1].

















web-based password synchronization


































Web-based password synchronization works by having a user sign into a consolidated web page to change multiple passwords, rather than waiting for each system or application to prompt the user to change just one password.

Users typically sign into the password synchronization web page using a primary login ID and password and can then specify a new password, which will be applied to multiple systems and applications.

A password synchronization web application typically must enforce a password policy, which should be at least as strong as the policies in each of the target applications.




webSSO authentication server


































In a WebSSO system, one or more servers are dedicated to the function of authenticating users and determining what operations they will be permitted to perform. These are called authentication servers.




wireless markup language (WML)





















A markup language based on XML and intended for use in specifying content and user interface for narrowband devices, including cellular phones and pagers.

















workflow









The automated routing of tasks associated with one or more business processes, or the whole lifecycle. For example; when an employee requests access to a resource or service an approval task is sent to that person's line manager; if

approved, an authorisation request is sent to the resource owner; if authorised, a provisioning task is sent to the resource manager who organises the access and advises the relevant parties. Tracking of progress, need for justification,

and rerouting based on business rules and elapsed time, may be included as options in workflow diagrams. The workflow may be initiated by the individual, or others such as the line manager, but it usually cannot be approved by the

requester (separation of duties). If the person's functional role changes, a revalidation of the person's access profile may be initiated automatically and routed to the new line manager.





























workstation passwords


































Workstation passwords are passwords stored in the security database on a user's workstation (PC or laptop). Workstations typically have dynamic addresses, are sometimes turned off and do not respond to requests they receive from the

network.




X.500 protocols


































X.500 is a family of standardized protocols for accessing, browsing and maintaining a directory. It is functionally similar to LDAP but is generally considered to be more complex and has consequently not been widely adopted.




X.509 token





















An X.509 token is a type of security token containing an X.509 public key certificate.

















XML attribute



















Attribute An XML data structure that is embedded in the start-tag of an XML element and that has a name and a value. For example, the italicized portion below is an instance of an XML attribute:

<Address AddressID="A12345">"¦</Address>



















XML element



















An XML data structure that is hierarchically arranged among other such structures in an XML document and is indicated by either a start-tag and end-tag or an empty tag. For example:

<Address AddressID="A12345">

<Street>105 Main Street</Street>

<City>Springfield</City>

<StateOrProvince>

<Full>Massachusetts</Full>

<Abbrev>MA</Abbrev>

</StateOrProvince>

<Post Code="56789"/>

</Address>



















XML namespace



















A collection of names, identified by a URI reference, which are used in XML documents as element types and attribute names.

An XML namespace is often associated with an XML schema.

For example, SAML defines two schemas, and each has a unique XML namespace.



















XML schema



















The format developed by the World Wide Web Consortium.

(W3C) for describing rules for a markup language to be used in a set of XML documents. In the lowercase, a "schema" or "XML schema" is an individual instance of this format. For example,

SAML defines two schemas, one containing the rules for XML documents that encode security assertions and one containing the rules for XML documents that encode request/response protocol messages. Schemas define not only XML elements and

XML attributes, but also datatypes that apply to these constructs.